Web Server Allows Password Auto-Completion
Info Nessus Plugin ID 42057
SynopsisThe 'autocomplete' attribute is not disabled on password fields.
DescriptionThe remote web server contains at least one HTML form field that has an input of type 'password' where 'autocomplete' is not set to 'off'.
While this does not represent a risk to this web server per se, it does mean that users who use the affected forms may have their credentials saved in their browsers, which could in turn lead to a loss of confidentiality if any of them use a shared host or if their machine is compromised at some point.
SolutionAdd the attribute 'autocomplete=off' to these fields to prevent browsers from caching credentials.